The present invention relates to the general field of anonymizing data.
Although this is not limiting on the invention, a preferable use of the invention is in the healthcare field, for anonymizing a patient's medical records.
In this field, for a number of years, complementary insurers have sought to access healthcare data contained in electronic care sheets that are received at present only by compulsory insurers.
Clearly this touches on sensitive areas such as protection of individual liberties and medical confidentiality.
For a number of years microcircuit cards (smart cards) have been used in the healthcare field.
In France, for example, healthcare professionals (doctors, pharmacists, etc.) use a professional microcircuit card with identification, signature, and encryption functions for transferring electronic care sheets.
In France, an insured person's SESAME VITALE card is at present used only to identify insured persons to healthcare professionals and to record their entitlements. This card is welcomed by insured persons because it speeds up reimbursement.
However, a SESAME VITALE card does not enable complementary insurers to carry out electronic processing of detailed medical data, for example to perform statistical analyses covering the entire insured population.
The document EP 1 099 996 describes a system for managing sensitive medical data of a patient anonymously.
That system includes a first subsystem that associates data identifying each patient with an identifier (scrambled id) generated from the patient's identification data.
The system disclosed in EP 1 099 996 also includes a database that stores sensitive medical data for each patient, received from data providers, in association with the patient's identifier.
That system has a major drawback because the data provider, the first subsystem, and the database all share the same identifier.
Consequently, the system disclosed in EP 1 099 996 is not strictly speaking an anonymous system, since the first subsystem would be able to obtain all the sensitive medical data for an identified patient if it were to access said database (whether legitimately or fraudulently).